Deploying Active Directory Rights Management Services in A Multiple Forest Environment Step-By-Step Guide

Deploying Active Directory Rights
Management Services in a Multiple Forest

Environment Step-by-Step Guide
Microsoft Corporation
Published: March 2008
Author: Brian Lich
Editor: Carolyn Eller
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and
evaluate Active Directory Rights Management Services (AD RMS) across multiple forests in
Windows Server® 2008. It includes the necessary information for installing and configuring
AD RMS in two forests and configuring a trusted user domain so that users from both forests can
exchange rights-protected content.
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the example
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
All other trademarks are property of their respective owners.

Contents
Deploying Active Directory Rights Management Services in a Multiple Forest Environment Step-
by-Step Guide.......................................................................................................................... ....4
About This Guide............................................................................................................ .............4
What This Guide Does Not Provide...................................................................................... ....4
Step 1: Setting up the Trey Research Domain................................................................... .............6

Configure the domain controller (TREY-DC).......................................................................... ......7
Configure the Windows Server 2003–based domain controller........................................... .....8
Install Active Directory....................................................................................................... ....8
Raise the domain functional level to Windows Server 2003.................................................9
Configure a DNS forwarder............................................................................................. ......9
Configure the Windows Server 2008–based domain controller........................................ ......10
Install Active Directory Domain Services........................................................................ .....10
Configure a DNS forwarder................................................................................... ..............11
Create user accounts and groups................................................................................. .............11
Configure the AD RMS database server (TREY-DB).................................................. ...............13
Configure the AD RMS root cluster computer (TREY-ADRMS).............................. ...................15
Install the AD RMS root cluster computer........................................................................... ....15
Add the AD RMS server role to TREY-ADRMS..................................................... .................17
Configure the AD RMS client computer (ADRMS-CLNT2)............................... .........................19
Step 2: Configure AD RMS to Work Across Forests..................................................................... .20

Create a trusted user domain between the AD RMS installations.............................................21
Enable anonymous access on the AD RMS licensing pipeline................................... ...............22
Extend Active Directory schema............................................................................... .................23
Extend the schema in the cpandl.com domain........................................................... ............23
Extend the schema in the treyresearch.net domain...................................... .........................25
Create contact objects and distribution groups................................................................ ..........27
Step 3: Verifying AD RMS Functionality....................................................................... .................29

Deploying Active Directory Rights
Management Services in a Multiple Forest
Environment Step-by-Step Guide
About This Guide

This step-by-step walks you through the process of setting up two working Active Directory Rights
Management Services (AD RMS) infrastructures in a test environment. Specifically, this guide will
look at how to implement AD RMS in two different Active Directory forests and then set up an
AD RMS trusted user domain so that users in both forests can exchange rights-protected
information.
In this guide, you will create a test deployment that includes the following components:
• Two AD RMS servers
• Two AD RMS database servers
• Two AD RMS clients
• Two Active Directory domain controllers
This guide assumes that you previously completed Windows Server Active Directory Rights
Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134), and
that you have already deployed the following components:
• An AD RMS server
• An AD RMS database server
• One AD RMS-enabled client
• One Active Directory domain controller
What This Guide Does Not Provide

This guide does not provide the following:
• An overview of AD RMS. For more information about the advantages that AD RMS
can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
• Guidance for using identity federation with AD RMS. For guidance about this, see the
Using Identity Federation with Active Directory Rights Management Services Step-by-
Step Guide (http://go.microsoft.com/fwlink/?LinkId=72135).
• Guidance for setting up and configuring AD RMS in a production environment.
• Complete technical reference for AD RMS.
We recommend that you first use the steps provided in this guide in a test lab environment. Step-
by-step guides are not necessarily meant to be used to deploy Windows Server® features without
4
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this guide, you will have two working AD RMS infrastructures configured with
a trusted user domain. You can then test and verify AD RMS and AD FS functionality as follows:
• Restrict permissions on a Microsoft® Word 2007 document in the CPANDL.COM
domain.
• Have an authorized user in the TREYRESEARCH.NET domain open and work with
the document.
The test environment described in this guide includes eight computers connected to a private
network and using the following operating systems, applications, and services:
Computer Name Operating System Applications and Services
ADRMS-SRV Windows Server® 2008 AD RMS, Internet Information

TREY-ADRMS Services (IIS) 7.0, World Wide
Web Publishing Service, and
Message Queuing
CPANDL-DC Windows Server 2003 with Service Active Directory, Domain

TREY-DC Pack 2 (SP2) or Windows Name System (DNS)
Server 2008
Note
Domain controllers running
Windows 2000 Server with
Service Pack 4 can be
used. However, in this
step-by-step guide it is
assumed that you will be
using domain controllers
running either Windows
Server 2003 with SP2 or
Windows Server 2008.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server® 2005
TREY-DB Standard Edition with Service
Pack 2 (SP2)
ADRMS-CLNT Windows Vista® Microsoft Office Word 2007

ADRMS-CLNT2 Enterprise Edition
Note
Before installing and configuring the components in this guide, you should verify that your
hardware meets the minimum requirements for AD RMS
(http://go.microsoft.com/fwlink/?LinkId=84733).
5
The computers form two private intranets and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment, if desired. This step-
by-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named
cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is
TREY-DC. The following figure shows the configuration of the test environment:
Step 1: Setting up the Trey Research Domain

The Trey Research infrastructure contains all of the required components for an AD RMS
installation. In this step, you install the required computers that make up the Trey Research
domain:
• Configure the domain controller (TREY-DC)
6
• Create user accounts and groups
• Configure the AD RMS database server (TREY-DB)
• Configure the AD RMS root cluster computer (TREY-ADRMS)
• Configure the AD RMS client computer (ADRMS-CLNT2)
Use the following table as reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity.
Computer name Operating system requirement IP settings DNS settings
TREY-DC Windows Server 2003 with IP address: Configured by DNS

Service Pack 2 (SP2) or 10.0.0.30 server role.
Windows Server® 2008
Subnet mask:
255.255.255.0
TREY-ADRMS Windows Server 2008 IP address: Preferred:

Enterprise or Windows 10.0.0.33 10.0.0.30
Server 2003 R2 Enterprise
Subnet mask:
Edition with SP2
255.255.255.0
TREY-DB Windows Server 2003 with IP address: Preferred:

SP2 10.0.0.34 10.0.0.30
Subnet mask:
255.255.255.0
ADRMS-CLNT2 Windows Vista IP address Preferred:

10.0.0.32 10.0.0.30
Subnet mask:
255.255.255.0
Configure the domain controller (TREY-DC)

Depending on your environment, you can evaluate AD RMS in either a Windows Server 2008
domain or a Windows Server 2003 domain. Use one of the following sections depending on the
domain to be used.
• Configure the Windows Server 2003–based domain controller
• Configure the Windows Server 2008–based domain controller
7
Configure the Windows Server 2003–based domain controller
To configure the domain controller TREY-DC, you must install Windows Server 2003, configure
TCP/IP properties, install Active Directory, and raise the Active Directory domain functional level
to Windows Server 2003.
First, install Windows Server 2003 with SP2 on the TREY-DC computer.
To install Windows Server 2003 Standard Edition

1. Start your computer by using the Windows Server 2003 product CD. (You can
use any edition of Windows Server 2003 except the Web Edition to establish the
domain.)
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type TREY-DC.
In this step configure TCP/IP properties so that TREY-DC has a static IP address of 10.0.0.30.
To configure TCP/IP properties on TREY-DC

1. Log on to TREY-DC with the TREY-DC\Administrator account.
2. Click Start, point to Control Panel, point to Network Connections, click Local
Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type
10.0.0.30. In the Subnet mask box, type 255.255.255.0.
5. Click OK, and then click Close to close the Local Area Connection Properties
dialog box.
Install Active Directory

In this step, you are going to create a domain controller for Trey Research. It is important that you
first configure the IP addresses as specified in the previous table before you attempt to install
Active Directory. This helps ensure that DNS records are configured appropriately.
To configure TREY-DC as a domain controller

1. Click Start, and then click Run. In the Open box, type dcpromo, and then click
OK.
2. On the Welcome page of the Active Directory Installation Wizard, click Next.
3. Click Next, click the Domain controller for a new domain option, and then click
Next.
4. Click the Domain in a new forest option, and then click Next.
5. In Full DNS name for new domain, type treyresearch.net and then click Next.
6. In Domain NetBIOS name, type treyresearch, and then click Next three times.
7. Click the Install and configure the DNS server on this computer and set this
8
computer to use this DNS server as its preferred DNS server option, and then
click Next.
8. Click the Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems option, and then click Next.
9. In the Restore Mode Password and Confirm Password boxes, type a strong
password, and then click Next.
10. Click Next.
11. When the Active Directory Installation Wizard is done, click Finish.
12. Click Restart Now.
Raise the domain functional level to Windows Server 2003

In this step, you raise the Active Directory domain functional level to Windows Server 2003. This
functional level allows the use of Active Directory universal groups.
To raise the domain functional level to Windows Server 2003

1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. Right-click treyresearch.net, and then click Raise Domain Functional Level.
4. In the list under Select an available domain functional level, click Windows
Server 2003, and then click Raise.
Note
You cannot change the domain functional level once you have raised it.
5. Click OK, and then click OK again.
Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the
treyresearch.net domain to the cpandl.com domain, and vice versa.
To configure a DNS forwarder on a Windows Server 2003–based computer

2. Click Start, point to Administrative Tools, and then click DNS.
3. Right-click TREY-DC, and then click Properties.
4. Click the Forwarders tab.
5. In the Selected domain's forward IP address list section, type 10.0.0.1, and
then click Add.
6. Click OK.
9
Configure the Windows Server 2008–based domain controller
To configure the domain controller TREY-DC, you must install Windows Server 2008, configure
TCP/IP properties, and install Active Directory Domain Services.
First, install Windows Server 2008.
To install Windows Server 2008

1. Start your computer by using the Windows Server 2008 product CD.
2. Follow the instructions that appear on your screen, and when prompted for a
computer name, type TREY-DC.
Next, configure TCP/IP properties so that TREY-DC has a IPv4 static IP address of 10.0.0.30.
To configure TCP/IP properties on TREY-DC

1. Log on to TREY-DC with the TREY-DC\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and
Sharing Center, click Manage Network Connections, right-click Local Area
Connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then
click Properties.
4. Click the Use the following IP address option. In IP address, type 10.0.0.30,
and in Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.30, and then click OK.
6. On the Networking tab, clear the Internet Protocol Version 6 (TCP/IPv6) check
box.
dialog box.
Install Active Directory Domain Services

In this step, you are going to create a domain controller for Trey Research. It is important that you
first configure the IP addresses as specified in the previous procedure before you attempt to
install Active Directory Domain Services (AD DS). This helps ensure that DNS records are
configured appropriately.
To configure TREY-DC as a domain controller

1. Click Start, and then click Run.
2. In the Open box, type dcpromo, and then click OK.
3. On the Welcome to the Active Directory Domain Services Installation Wizard
page, click Next.
4. Click the Domain controller for a new domain option, and then click Next.
10
5. Click the Create a new domain in a new forest option, and then click Next.
6. In the FQDN of the forest root domain box, type treyresearch.net, and then
click Next.
7. In the Forest functional level box, click Windows Server 2003, and then click
Next.
8. In the Domain functional level box, click Windows Server 2003, and then click
Next.
9. Ensure that the DNS server check box is selected, and then click Next.
10. Click Yes, confirming that you want to create a delegation for this DNS server.
11. On the Location for Database, Log Files, and SYSVOL page, click Next.
12. In the Password and Confirm password boxes, type a strong password, and
then click Next.
13. On the Summary page, click Next to start the installation.
14. When the installation is complete, click Finish, and then click Restart Now.
Note
You must restart the computer after you complete this procedure.
Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the
treyresearch.net domain to the cpandl.com domain, and vice versa.
To configure a DNS forwarder

1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another
user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Right-click TREY-DC, and then click Properties.
4. Click the Forwarders tab.
5. Click Edit.
6. Type 10.0.0.1, and then click OK.
7. Click OK to close the properties sheet.
Create user accounts and groups

In this section, you create the user accounts and groups in the TREYRESEARCH domain.
First, add the user accounts shown in the following table to Active Directory or AD DS. Use the
procedure following the table to create the user accounts.
11
Account Name User Logon Name E-mail address
ADRMSADMIN ADRMSADMIN
ADRMSSRVC ADRMSSRVC
Terrence Philip tphilip tphilip@treyresearch.net
To add new user accounts to the TREYRESEARCH domain

3. In the console tree, expand treyresearch.net.
4. Right-click Users, point to New, and then click User.
5. In the New Object – User dialog box, type ADRMSADMIN in the Full name and
User logon name boxes, and then click Next.
6. In the New Object – User dialog box, type a password of your choice in the
Password and Confirm password boxes. Clear the User must change password
at next logon check box, click Next, and then click Finish.
7. Perform steps 3-6 for ADRMSSRVC and Terrence Philip (tphilip).
Next, add an e-mail address for Terrence Philip.
To add e-mail addresses to user accounts

1. In the Active Directory Users and Computers console, right-click Terrence
Philip, click Properties, type tphilip@treyresearch.net in the E-mail box, and then
click OK.
2. Close the Active Directory Users and Computers console.
Once the user accounts have been created, an Active Directory Universal group should be
created with Terrence Philip as a member. The following table lists the Universal group that
should be added to Active Directory. Use the procedure following the table to create the Universal
group.
Group Name E-mail address
Employees employees@treyresearch.net
To add a new group object to Active Directory

1. In the Active Directory Users and Computers console, right-click Users, point
to New, and then click Group.
2. In the New Object – Group dialog box, type Employees in Group name, click
12
the Universal option for the Group Scope, and then click OK.
Next, add an e-mail address to the Trey Research employees group:
To add an e-mail address to a group object

1. In the Active Directory Users and Computers console, double-click Users,
right-click Employees, and then click Properties.
2. Type employees@treyresearch.net in the E-mail box, and then click OK.
Finally, add Terrence Philip to the Employees group by following these steps:
To add Terence Philip to the Employees group

1. In the Active Directory Users and Computers console, double-click Users, and
then double-click Employees.
2. Click Members, and then click Add.
3. Type tphilip@treyresearch.net, and then click OK.
4. Close the Active Directory Users and Computers console.
Configure the AD RMS database server (TREY-DB)

First, install Windows Server 2003 on the computer that will host the AD RMS databases.
To install Windows Server 2003 Standard Edition

1. Start your computer using the Windows Server 2003 product CD. (You can use
any edition of Windows Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type TREY-DB.
In this step, configure TCP/IP properties so that TREY-DB has a static IP address of 10.0.0.34.
To configure TCP/IP properties on ADRMS-DB

1. Log on to TREY-DB with the TREY-DB\Administrator account.
2. Click Start, point to Control Panel, point to Network Connections, click Local
Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type
10.0.0.34. In the Subnet mask box, type 255.255.255.0.
dialog box.
Next, join the AD RMS database server (TREY-DB) computer to the TREYRESEARCH domain:
13
To join ADRMS-DB to the TREYRESEARCH domain
1. Click Start, right-click My Computer, and then click Properties.
2. Click Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and
then type treyresearch.net.
4. Click More, and then type treyresearch.net in the Primary DNS suffix of this
computer box.
5. Click OK twice.
6. When a Computer Name Changes dialog box appears prompting you for
administrative credentials, provide the credentials for
TREYRESEARCH\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the
treyresearch.net domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click OK again.
9. Click Yes to restart the computer.
Next, install Microsoft SQL Server 2005 Standard Edition:
To install Microsoft SQL Server 2005

1. Log on to TREY-DB with the TREYRESEARCH\Administrator account.
2. Insert the Microsoft SQL Server 2005 product CD. The installation will start
automatically.
3. Click the I accept the licensing terms and conditions check box, and then
click Next.
4. On the Installing Prerequisites page, click Install.
5. Click Next.
6. On the Welcome to the Microsoft SQL Server Installation Wizard page, click
Next, and then click Next again.
7. In the Name box, type your name. In the Company box, type the name of your
organization, and then type in the appropriate product key. Click Next.
8. Select the SQL Server Database Services, and Workstation components,
Books Online, and development tools check boxes, and then click Next.
9. Select the Default instance option, and then click Next.
10. Click the Use the built-in System account option, and then click Next.
11. Click the Windows Authentication Mode option, and then click Next.
12. Click Next, accepting the default Collation Settings, and then click Next again.
13. Click Install. When the status of all the selected components is finished, click
Next.
14
14. Click Finish.
Next, add ADRMSADMIN to the local Administrators group on TREY-DB. The AD RMS installing
user account needs this membership in order to create the AD RMS databases. After AD RMS
installed, ADRMSADMIN can be removed from this group.
To add ADRMSADMIN to local Administrators group

1. Click Start, point to Administrative Tools, and then click Computer
Management.
2. Expand System Tools, expand Local Users and Groups, and then click
Groups.
3. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN
in Enter the object names to select (examples) box, and then click OK.
4. Click OK, and then close Computer Management.
Configure the AD RMS root cluster computer

(TREY-ADRMS)
In this section, the AD RMS root cluster computer is installed and the AD RMS role is added.
Install the AD RMS root cluster computer

To configure the AD RMS root cluster computer, TREY-ADRMS, you must install Windows
Server 2008, configure TCP/IP properties, and then join TREY-ADRMS to the domain
treyresearch.net. You must also add the account ADRMSADMIN as a member to the local
administrators group so that an administrator can use the ADRMSADMIN account to install
AD RMS on TREY-ADRMS.
First, install Windows Server 2008 as a stand-alone server.
To install Windows Server 2008

1. Start your computer by using the Windows Server 2008 product CD.
2. When prompted for a computer name, type TREY-ADRMS.
3. Follow the rest of the instructions that appear on your screen to finish the
installation.
Next, configure TCP/IP properties so that TREY-ADRMS has a static IP address of 10.0.0.33. In
addition, configure the DNS server by using the IP address of TREY-DC (10.0.0.30).
To configure TCP/IP Properties

1. Log on to ADRMS-SRV with the TREY-ADRMS\Administrator account or another
user account in the local Administrators group.
2. Click Start, click Control Panel, double-click Network and Sharing Center,
15
click Manage Network Connections, right-click Local Area Connection, and then
click Properties.
click Properties.
4. Click the Use the following IP address option. In IP address, type 10.0.0.33. In
Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.30.
dialog box.
Next, join TREY-ADRMS to the treyresearch.net domain.
To join TREY-ADRMS to the treyresearch.net domain

1. Click Start, right-click Computer, and then click Properties.
2. Click Change settings (at the right side under Computer name, domain, and
workgroup settings), and then click Change.
3. In the Computer Name/Domain Changes dialog box, select the Domain option,
and then type treyresearch.net.
4. Click More, and type treyresearch.net in Primary DNS suffix of this computer
box.
5. Click OK, and then click OK again.
6. When a Computer Name/Domain Changes dialog box appears prompting you
for administrative credentials, provide the credentials for
TREYRESEARCH\Administrator, and then click OK.
7. When a Computer Name/Domain Changes dialog box appears welcoming you
to the treyresearch.net domain, click OK.
8. When a Computer Name/Domain Changes dialog box appears telling you that
the computer must be restarted, click OK, and then click Close.
9. Click Restart Now.
After the computer has restarted, add ADRMSADMIN to the local administrators group on TREY-
ADRMS.
To add ADRMSADMIN to the local administrators group

1. Log on to TREY-ADRMS with the TREYRESEARCH\Administrator account.
2. Click Start, click Administrative Tools, and then click Computer Management.
3. Expand System Tools, expand Local User and Groups, and then click Groups.
4. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN
in Enter the object names to select (examples) box, and then click OK.
5. Click OK, and then close Computer Management.
16
Add the AD RMS server role to TREY-ADRMS
Windows Server 2008 includes the option to install AD RMS as a server role through Server
Manager. Both installation and configuration of AD RMS are handled through Server Manager.
The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is
composed of one or more AD RMS servers configured in a load-balancing environment. This
section will install and configure a single-server AD RMS root cluster in the treyresearch.net
domain.
Registering the AD RMS service connection point (SCP) requires that the installing user account
be a member of the Active Directory Enterprise Admins group.
Important
Access to the Enterprise Admins group should be granted only while AD RMS is being
installed. After installation is complete, the TREYRESEARCH\ADRMSADMIN account
should be removed from this group.
To add ADRMSADMIN to the Enterprise Admins group

1. Log on to TREY-DC with the treyresearch\Administrator account.
3. In the console tree, expand treyresearch.net, double-click Users, and then
double-click Enterprise Admins.
4. Click the Members tab, and then click Add.
5. Type adrmsadmin@treyresearch.net, and then click OK.
Install and configure AD RMS as a root cluster.
To add the AD RMS server role

1. Log on to TREY-ADRMS as treyresearch\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. If the User Account Control dialog box appears, confirm that the action it
displays is what you want, and then click Continue.
4. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.
5. Read the Before You Begin section, and then click Next.
6. On the Select Server Roles page, select the Active Directory Rights
Management Services check box.
7. The Role Services page appears informing you of the AD RMS dependent role
services and features. Make sure that Web Server (IIS), Windows Process Activation
Service (WPAS), and Message Queuing are listed, and then click Add Required
Role Services. Click Next.
8. Read the AD RMS introduction page, and then click Next.
9. On the Select Role Services page, verify that the Active Directory Rights
17
Management Server check box is selected, and then click Next.
10. Click the Create a new AD RMS cluster option, and then click Next.
11. Click the Use a different database server option.
12. Click Select, type TREY-DB in the Select Computer dialog box, and then click
OK.
13. In Database Instance, click Default, and then click Validate.
14. Click Next.
15. Click Specify, type TREYRESEARCH\ADRMSSRVC, type the password for the
account, click OK, and then click Next.
16. Ensure that the Use AD RMS centrally managed key storage option is
selected, and then click Next.
17. Type a strong password in the Password box and in the Confirm password
box, and then click Next.
18. Choose the Web site where AD RMS will be installed, and then click Next. In an
installation that uses default settings, the only available Web site should be Default
Web Site.
19. Click the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type trey-adrms.treyresearch.net,
and then click Validate. If validation succeeds, the Next button becomes available.
Click Next.
21. Click the Choose an existing certificate for SSL encryption option, click the
certificate that has been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name
box, and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is
selected, and then click Next to register the AD RMS service connection point (SCP)
in Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes
to complete the installation.
27. Click Close.
28. Log off the server, and then log on again to update the security token of the
logged-on user account. The user account that is logged on when the AD RMS
server role is installed is automatically made a member of the AD RMS Enterprise
Administrators local group. A user must be a member of that group to administer
AD RMS.
18
Note
At this point in the guide, you can remove treyresearch\ADRMSADMIN from the local
Administrators group on TREY-DB.
Your AD RMS root cluster is now installed and configured.
Configure the AD RMS client computer (ADRMS-

CLNT2)
To configure the ADRMS-CLNT2 client computer in the TREYRESEARCH domain, you must
install Windows Vista, configure TCP/IP properties, and then join the computer to the
TREYRESEARCH domain. You must also install an AD RMS-enabled application In this example,
Microsoft Office Word 2007 Enterprise Edition is installed on the client.
To install Windows Vista

1. Start your computer by using the Windows Vista product CD.
2. Follow the instructions that appear on your screen, and when prompted for a
computer name, type ADRMS-CLNT2.
Next, configure TCP/IP properties so that ADRMS-CLNT2 has a static IP address of 10.0.0.32. In
addition, configure the DNS server of TREY-DC (10.0.0.30).
To configure TCP/IP properties

1. Log on to ADRMS-CLNT2 with the ADRMS-CLNT2\Administrator account or
another user account in the local Administrators group.
2. Click Start, click Network, and then click Network and Sharing Center.
3. Click Manage Network Connections, right-click Local Area Connection, and
then click Properties.
click Properties.
5. Select the Use the following IP address option. In IP address, type 10.0.0.32,
in Subnet mask, type 255.255.255.0.
6. Select the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.30.
dialog box.
Next, join the ADRMS-CLNT2 to the TREYRESEARCH domain.
To join ADRMS-CLNT2 to the TREYRESEARCH domain

1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change
settings.
19
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, select the Domain option,
and then type treyresearch.net.
5. Click More, and in the Primary DNS suffix of this computer box, type
treyresearch.net.
6. Click OK, and click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you
for administrative credentials, provide the credentials for treyresearch\administrator,
and then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you
to the treyresearch.net domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that
the computer must be restarted, click OK, and then click Close.
10. In the System Settings Change dialog box, click Yes to restart the computer.
Finally, install Microsoft Office Word 2007 Enterprise Edition on ADRMS-CLNT2.
To install Microsoft Office Word 2007 Enterprise

1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as the installation type, set the installation type to Not
Available for all applications except Microsoft Office Word 2007 Enterprise, and then
click Install Now. This might take several minutes to complete.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007
allow you to create rights-protected content. All editions will allow you to consume rights-
protected content.
Step 2: Configure AD RMS to Work Across

Forests
In this step, you do the following:
• Create a trusted user domain between the AD RMS installations
• Enable anonymous access on the AD RMS licensing pipeline
• Extend the Active Directory schema
• Create contact objects and distribution groups
20
Create a trusted user domain between the
AD RMS installations
In a default AD RMS installation, use licenses are not issued to users whose rights account
certificates were issued by a different AD RMS cluster. You can configure AD RMS so that it
processes this type of request by importing the trusted user domain of another AD RMS
installation.
The trusted user domain must be exported from one AD RMS cluster and then imported into the
other. A trusted user domain is required only if the AD RMS clusters are in a different forest.
First, export the trusted user domain by using the Active Directory Rights Management Services
console.
To export a trusted user domain from the cpandl.com domain

1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
Rights Management Services.
4. Expand the AD RMS cluster, and then expand Trust Policies.
5. Click Trusted User Domains, right-click the certificate named Enterprise, and
then click Export Trusted User Domain.
6. In the File name box, type \\adrms-db\public\cpandlTUD.bin, and then click
Save.
Note
For scenarios in which the domains are in different networks, make sure that the
users in the second domain can access the location of this file.
Next, import the trusted user domain that was just exported from the AD RMS cluster in the
CPANDL domain into the TREYRESEARCH domain by using the Active Directory Rights
Management Services console.
To import a trusted user domain file into the treyresearch.net domain

1. Log on to TREY-ADRMS as treyresearch\adrmsadmin.
4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User
Domains, and then click Import Trusted User Domain.
5. In the Trusted user domain file box, type \\adrms-db\public\cpandlTUD.bin.
21
6. In the Display name box, type CPANDL.COM, and then click Finish.
Finally, repeat the above procedures and import the Trey Research trusted user domain file into
the CPANDL domain.
To export a trusted user domain from the treyresearch.net domain

1. Log on to TREY-ADRMS as treyresearch\adrmsadmin.
4. Expand the AD RMS cluster, and then expand Trust Policies.
5. Click Trusted User Domains, right-click the certificate named Enterprise, and
then click Export Trusted User Domain.
6. In the File name box, type \\adrms-db\public\treyresearchTUD.bin, and then
click Save.
Note
For scenarios in which the domains are in different networks, make sure that the
users in the second domain can access the location of this file.
To import a trusted user domain file into the cpandl.com domain

4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User
Domains, and then click Import Trusted User Domain.
5. In the Trusted user domain file box, type \\adrms-
db\public\treyresearchTUD.bin.
6. In the Display name box, type TREYRESEARCH.NET, and then click Finish.
Enable anonymous access on the AD RMS

licensing pipeline
For each AD RMS cluster, you must enable anonymous access on the AD RMS license.asmx and
servicelocator.asmx files in the licensing pipeline.
To enable anonymous access on the AD RMS licensing pipeline

22
2. Click Start, point to Administrative Tools, and then click Internet Information
Services (IIS) Manager.
4. Expand the domain node, expand Sites, expand Default Web Site, and then
expand _wmcs.
5. Right-click the licensing folder, and then click Switch to Content View.
6. Right-click ServiceLocator.asmx, and then click Switch to Features View.
7. Under IIS, double-click Authentication, right-click Anonymous Authentication,
and then click Enable.
8. Right-click the licensing directory again, and then click Switch to Content View.
9. Right-click license.asmx, and then click Switch to Features View.
10. Double-click Authentication, right-click Anonymous Authentication, and then
click Enable.
11. Log on to TREY-ADRMS as treyresearch\adrmsadmin and repeat steps 1-10 for
the treyresearch.net domain.
Extend Active Directory schema

When users across Active Directory forests need to exchange rights-protected content, the
AD RMS clusters need to know the forest in which the user account or group resides. This is
done by using the msExchOriginatingForest Active Directory schema attribute. This schema
attribute is installed with Microsoft Exchange Server 2003 and later. If you do not have an
Exchange server deployed in your environment, you must extend the schema to include this
attribute by using ldifde.exe from the command prompt on a domain controller in each forest.
Extend the schema in the cpandl.com domain

To extend the schema in the cpandl.com domain you should copy the following text into a text file
named cpandl.ldf. In this guide, you save it to the cpandl\administrator desktop on CPANDL-DC.
dn: CN=ms-Exch-Originating-Forest,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
23
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0
dn: CN=Contact,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
dn: CN=Group,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
dn: CN=User,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
Finally, you should run the ldifde.exe command to extend the schema by using the following
procedure:
24
To run the ldifde command to extend the schema
1. Log on to CPANDL-DC as cpandl\administrator.
2. Click Start, and then click Command Prompt.
3. Type the following, and then press ENTER:
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which Windows Server 2008 is installed.
ldifde.exe -s cpandl-dc -v -i -k -f cpandl.ldf /c
"CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
"CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
Note
The last two entries of this command are the same because the source and
target name are the same.
5. To confirm that the command was successful, the last two lines of the output
should say the following:
4 entries modified successfully. The command has completed successfully.
Extend the schema in the treyresearch.net domain

To extend the schema in the treyresearch.net domain you should copy the following text into a
text file named trey.ldf. In this guide, you save it to the treyresearch\administrator desktop on
TREY-DC.
dn: CN=ms-Exch-Originating-Forest, CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
25
searchFlags: 0
dn: CN=Contact,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
dn: CN=Group,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
dn: CN=User,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
Finally, you should run the ldifde.exe command to extend the schema by using the following
procedure:
To run the ldifde command to extend the schema

1. Log on to TREY-DC as treyresearch\administrator.
2. Click Start, and then click Command Prompt.
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which Windows Server 2008 is installed.
26
ldifde.exe -s trey-dc -v -i -k -f trey.ldf /c
"CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
"CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
Note
The last two entries of this command are the same because the source and
target name are the same.
5. To confirm that the command was successful, the last two lines of the output
should say the following:
4 entries modified successfully. The command has completed successfully.
Create contact objects and distribution groups

Active Directory contact objects are used to tell the AD RMS cluster the forest in which the user
account resides. Similarly, distribution groups are used to tell the AD RMS cluster the forest in
which the group resides. You must create contact objects and distribution groups in each forest
for every user and group that will be used with AD RMS. In this guide, you create contact objects
for Nicole Holliday and Terrence Philip, and distribution groups for the Employees group in each
forest.
Create the contact objects by using the following procedure:
To create an Active Directory contact object for the cpandl.com domain

1. Log on to CPANDL-DC as cpandl\Administrator.
3. Click View, and then click Advanced Features.
4. Expand cpandl.com, right-click Users, point to New, and then click Contact.
5. In the Full Name and Display name boxes , type Terrence Philip, and then click
OK.
6. Open the Users folder, and then double-click the Terence Philip contact object.
7. In the E-mail box, type tphilip@treyresearch.net, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes
box, and then click Edit.
9. In the Value to add box, type treyresearch.net, click Add, and then click OK.
10. Click OK to close the Terrence Philip properties sheet.
Next, create the contact objects in the Trey Research domain:
To create an Active Directory contact object for the treyresearch.net domain

1. Log on to TREY-DC as treyresearch\Administrator.
27
4. Expand treyresearch.net, right-click Users, point to New, and then click
Contact.
5. In the Full Name and Display name boxes , type Nicole Holliday, and then
click OK.
6. Open the Users folder, and then double-click the Nicole Holliday contact object.
7. In the E-mail box, type nhollida@cpandl.com, and then click Apply.
9. In the Value to add box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the Nicole Holliday properties sheet.
Next, create the distribution groups and assign the appropriate msExhOriginatingForest schema
attribute for each group.
To create the Trey Research Employees distribution group for the cpandl.com domain
1. Log on to CPANDL-DC as cpandl\Administrator.
4. Expand cpandl.com, right-click Users, point to New, and then click Group.
5. In the Group name box, type Trey Research Employees, click the Universal
option, click the Distribution option, and then click OK.
6. Open the Users folder, and then double-click the Trey Research Employees
distribution group.
7. In the E-mail box, type employees@treyresearch.net, and then click Apply.
9. In the Value to add box, type treyresearch.net, click Add, and then click OK.
10. Click OK to close the Trey Research Employees properties sheet.
Finally, create the distribution group and assign the appropriate msExchOriginatingForest schema
attribute for each group.
To create the CPANDL Employees distribution group for the treyresearch.net domain
1. Log on to TREY-DC as treyresearch\Administrator.
28
4. Expand treyresearch.net, right-click Users, point to New, and then click Group.
5. In the Group name box, type CPANDL Employees, click the Universal option,
click the Distribution option, and then click OK.
6. Open the Users folder, and then double-click the CPANDL Employees
distribution group.
7. In the E-mail box, type employees@cpandl.com, and then click Apply.
9. In the Value to add box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the CPANDL Employees properties sheet.
Step 3: Verifying AD RMS Functionality

The AD RMS client is included in the default installation of Windows Vista and Windows
Server 2008. Previous versions of the client are available for download for some earlier versions
of the Windows operating systems. For more information, see the Windows Server 2003 Rights
Management Services page in the Microsoft Windows Server TechCenter
(http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can publish or consume rights-protected content on Windows Vista, you must add the
AD RMS cluster URLs for each forest to the Internet Explorer Local Intranet security zone on the
AD RMS client computers. This is required to ensure that your credentials are automatically
passed from Microsoft Office Word to the AD RMS Web services.
To add AD RMS cluster URLs to the Internet Explorer Local Intranet security zone
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, click Control Panel, click Network and Internet, and then click
Internet Options.
3. Click the Security tab, and then click Local Intranet.
4. Click Sites, and then click Advanced.
5. In the Add this website to the zone box, do the following:
a. Type https://adrms-srv.cpandl.com, and then click Add.
b. Type https://trey-adrms.treyresearch.net, and then click Add.
6. Repeat steps on ADRMS-CLNT2 for Terrence Philip (treyresearch\tphilip).
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a
Microsoft Word 2007 document, and then restrict permissions on it so that Terrence Philip is able
to read the document but is unable to change, print, or copy it. You then log on as Terence Philip,
verifying that Terence Philip can read the document but do nothing else with it.
29
To restrict permissions on a Microsoft Word document
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, point to All Programs, click Microsoft Office, and then click
Microsoft Office Word 2007.
3. Type Only Terence Philip can read this document, but cannot change, print,
or copy it. Click Microsoft Office Button, point to Prepare, point to Restrict
Permission, and then click Restricted Access.
4. Select the Restrict permission to this document check box.
5. In the Read text box, type tphilip@treyresearch.net, and then click OK to close
the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as
\\adrms-db\public\ADRMS-TST.docx.
7. Log off as Nicole Holliday.
Finally, log on as Terence Philip on ADRMS-CLNT2 in the TREYRESEARCH.NET domain and

attempt to open the document, ADRMS-TST.docx.
To view a protected document

1. Log on to ADRMS-CLNT2 as Terence Philip (TREYRESEARCH\tphilip).
2. Click Start, point to All Programs, click Microsoft Office, and then click
Microsoft Office Word 2007.
3. Click the Microsoft Office Button, click Open, and then type \\adrms-
db\public\ADRMS-TST.docx. If you are prompted for credentials, use those of
CPANDL\Administrator to allow Terence Philip to access the document in its location
in the cpandl forest.
The following message appears: "Permission to this document is currently restricted.
Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to
verify your credentials and download your permissions."
4. Click OK.
The following message appears: "Verifying your credentials for opening content with
restricted permissions".
5. When the document opens, click Microsoft Office Button. Notice that the Print
option is not available.
6. Click View Permission in the message bar. You should see that Terence Philip
has been restricted to being able only to read the document.
7. Click OK to close the My Permissions dialog box, and then close Microsoft
Word.
8. Log off as Terence Philip.
You have successfully deployed and demonstrated the functionality of using AD RMS across
forests, using the simple scenario of applying restricted permissions to a Microsoft Word 2007
30
document. You can also use this deployment to explore some of the additional capabilities of
AD RMS through additional configuration and testing.
31

Deploying Active Directory Rights Management Services in A Multiple Forest Environment Step-By-Step Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deploying Active Directory Rights Management Services in A Multiple Forest Environment Step-By-Step Guide

Uploaded by

Copyright:

Available Formats

Deploying Active Directory Rights

Management Services in a Multiple Forest

© 2008 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Step 1: Setting up the Trey Research Domain................................................................... .............6

Step 2: Configure AD RMS to Work Across Forests..................................................................... .20

Step 3: Verifying AD RMS Functionality....................................................................... .................29

About This Guide

What This Guide Does Not Provide

Computer Name Operating System Applications and Services

ADRMS-SRV Windows Server® 2008 AD RMS, Internet Information

CPANDL-DC Windows Server 2003 with Service Active Directory, Domain

ADRMS-CLNT Windows Vista® Microsoft Office Word 2007

Step 1: Setting up the Trey Research Domain

Computer name Operating system requirement IP settings DNS settings

TREY-DC Windows Server 2003 with IP address: Configured by DNS

TREY-ADRMS Windows Server 2008 IP address: Preferred:

TREY-DB Windows Server 2003 with IP address: Preferred:

ADRMS-CLNT2 Windows Vista IP address Preferred:

Configure the domain controller (TREY-DC)

To install Windows Server 2003 Standard Edition

To configure TCP/IP properties on TREY-DC

Install Active Directory

To configure TREY-DC as a domain controller

Raise the domain functional level to Windows Server 2003

To raise the domain functional level to Windows Server 2003

Configure a DNS forwarder

To configure a DNS forwarder on a Windows Server 2003–based computer

To install Windows Server 2008

To configure TCP/IP properties on TREY-DC

Install Active Directory Domain Services

To configure TREY-DC as a domain controller

Configure a DNS forwarder

To configure a DNS forwarder

Create user accounts and groups

Terrence Philip tphilip tphilip@treyresearch.net

To add new user accounts to the TREYRESEARCH domain

Next, add an e-mail address for Terrence Philip.

To add e-mail addresses to user accounts

Group Name E-mail address

To add a new group object to Active Directory

Next, add an e-mail address to the Trey Research employees group:

To add an e-mail address to a group object

To add Terence Philip to the Employees group

Configure the AD RMS database server (TREY-DB)

To install Windows Server 2003 Standard Edition

To configure TCP/IP properties on ADRMS-DB

Next, install Microsoft SQL Server 2005 Standard Edition:

To install Microsoft SQL Server 2005

To add ADRMSADMIN to local Administrators group

Configure the AD RMS root cluster computer

Install the AD RMS root cluster computer

To install Windows Server 2008

To configure TCP/IP Properties

Next, join TREY-ADRMS to the treyresearch.net domain.

To join TREY-ADRMS to the treyresearch.net domain

To add ADRMSADMIN to the local administrators group

To add ADRMSADMIN to the Enterprise Admins group

Install and configure AD RMS as a root cluster.

To add the AD RMS server role

Configure the AD RMS client computer (ADRMS-

To install Windows Vista